GDPR and IBM i: The Final Countdown

IBM i shops have just 24 days until the General Data Protection Regulation (GDPR) goes into effect. If you haven’t started your GDPR project yet, it’s likely too late to complete it by May 25. But a good faith start to a GDPR remediation effort could benefit you in the eyes of regulators, should you happen to cross their path. Here’s what IBM i shops need to know as the countdown to GDPR-ageddon continues.

GDPR is a far-reaching law that governs how companies and other organizations are allowed to collect, process, and store data about European Union citizens, no matter where the citizens or entities exist in the world. For American firms, it basically puts an end to the “anything goes” style of data management, while for European firms, it’s a refinement and re-alignment of existing laws. Organizations caught violating the GDPR face fines upwards of 4 percent of annual revenues per incident. However, experts say the European Commission is expected to pick on American Web giants first, so small and midsize IBM i shops who do business with EU citizens have some time to clean up their data act.

You can read the entire GDPR regulation at gdpr-info.eu. With 173 recitals across 99 articles, it’s a long read (even for those used to reading TPM), so for brevity’s sake, we’ve sought the advice of experts who can interpret the laws for us.

“The purpose of the regulations is not to make it more difficult for businesses to sell, market, or perform any of their normal business functions,” writes Nabeena Mali in a blog on the AppInstitute. “Instead, it is designed to give individuals greater control over who collects and processes their personal data, what it is used for, and how it is kept safe.”

The law differentiates between two types of organizations: controllers and processors. Controllers are any organizations that determines how to process personal data. They’re responsible for collecting consent, controlling access to data, and managing requests from citizens. Processors, on the other hand, are any organizations that process personal data on behalf of the controller.

GDPR also differentiates between personal data and sensitive personal data, according to Mali. Personal data is any information which makes it possible to identify an individual, either directly, or indirectly. Examples of personal data includes names, identification numbers, location data, and online identifiers.

Sensitive personal data, on the other hand, covers an expanded scope of specific factors, Mali says, including elements of their physical appearance, physiology, genetics, mental health, economic, cultural, or social identity. “The collection and processing of sensitive personal data is not allowed, except under very specific circumstances, with additional requirements in terms of data safety,” she writes.

EU citizens must grant specific consent for companies to store their personal or sensitive personal data. Common business practices, such as blanket consent, consent by default, and consent as a condition of sale, service, or general terms and conditions, are no longer valid. Plus, citizens must be able to easily withdraw consent.

GDPR gives citizens certain rights, according to Mali, including:

The right to be informed, which allows citizens to know who is processing their data and how it will be used.

The right of access, which allows citizens to request confirmation that data is being collected and also to obtain a copy of all of it.

The right to rectification, which gives citizens the ability to fix inaccurate data and to send corrected data to any third-parties.

The right to erase, which allows citizens to request deletion of data when there’s no longer a legitimate reason to have it.

The right to be restrict processing, which allows citizens to ask companies to stop processing the data, but not stop storing it.

The right to data portability, which gives citizens the right to get copies of data from companies.

The right to object, which gives citizens other unnamed reasons to request an end to processing of their data.

The practical implications of GDPR for IBM i shops – or any company facing compliance, for that matter – are wide and varied. For starters, GDPR mandates that the organization has the capability to protect data. Controllers must have ways to prevent data from being stolen, from being viewed by an unauthorized person, or being used outside of the scope of consent.

The GDPR also mandates that organizations ensure the privacy and confidentiality of data, which assumes some form of access control and authentication. Organizations are required to keep logs of their GDPR-related activities, which assumes some type of monitoring and auditing system. There must also be documentation of security settings and policy.

Except for encryption and pseudonymization, the GDPR doesn’t tell organizations what technologies they must use to achieve these ends, according to Becky Hjellming of Syncsort (Vision Solutions). “Every organization is expected to make a reasonable determination of what data protection measures they need to take given the nature of the data they handle,” Hjellming writes in “IBM i Security and GDPR,” a slideshow on SlideShare.

With that said, the GDPR requirements seem to map fairly well to established IBM i security and auditing tools and techniques. For starters, IBM i shops should be familiar with management of object authorities on their IBM i system. They also must exhibit the capability to control remote access via network protocols, SQL, and other methods, Hjellming writes. And they must have strong authentication via passwords or multi-factor authentication methods, she writes.

Enforcive, the IBM i security vendor that was recently acquired by Syncsort/Vision, put together a fairly comprehensive guide to GDPR compliance for IBM i shops. In “Supporting GDPR on the IBM i,” the company assembled a table that maps GDPR requirements to specific enterprise security functions (see Figure 1).

Rocket Software says its lifecycle management software for IBM i can be used to track and govern access rights to data across development, test, and production systems, as put forth in GDPR Article 5. It also says its Rocket Aldon Lifecycle Manager IBM i Edition (LMi) can help with Article 25, which covers data protection by design and by default, as well as Article 32, which governs secure processing.

Raz-Lee Security recently launched a new tool that can help IBM i shops with compliance. Its Data Discovery for GDPR & PCI tool helps IBM i shops find data that could be covered under the GDPR. We covered this product in this newsletter two weeks ago.

Townsend Security, which develops database encryption solutions for IBM i and other servers, is also following the GDPR with interest. Patrick Townsend, the company’s founder, recently wrote a blog post discussing the ramifications of the GDPR’s new encryption mandate.

“Most companies will use encryption to meet GDPR privacy requirements, and will be deploying encryption key management to protect the keys,” Townsend writes. “The hardest part of getting encryption right has to do with creating, protecting, and deploying encryption keys. It is probably the hardest part of getting an encryption strategy right – and there are a lot of ways to get key management wrong.”

Townsend says encryption technology can actually be used to help comply with the GDPR’s Right to Erasure (sometimes called the Right to be Forgotten, although that’s a bit of a misnomer). According to Townsend, if each EU citizen’s data is protected with a unique encryption key, then that data can effectively be erased by destroying the encryption key.

“Rather than go through every database table and storage server to delete the data, you could just delete the encryption key,” Townsend writes. “Assuming you have strong encryption keys and industry standard key deletion processes, the deletion of the key is an effective way to zero the protected data without actually modifying the database. Data that is encrypted is unrecoverable if the key is no longer available.”

2 thoughts on “GDPR and IBM i: The Final Countdown”

OK. Great explanation, except to whom does this apply? If the only thing we have on our servers are names and addresses for purposes of shipping, does this apply to that? Names, addresses and telephone numbers are basically common knowledge. Can someone define where this ends?